• Electronics
• The EU Cyber Resilience Act: Planning for Compliance

The EU Cyber Resilience Act: Planning for Compliance

The EU Cyber Resilience Act (CRA) establishes stringent cybersecurity requirements for all products with digital elements sold on the European market, ensuring they remain cybersecure both in the design phase and throughout their lifecycle.

Approved on March 12, 2024 by the European Parliament, this legislation requires compliance readiness from manufacturers, distributors, and importers across the EU. After the Act is formally adopted by the Council, manufacturers will have 36 months to achieve compliance.

This article will outline the key components and steps required for compliance with the Cyber Resilience Act, helping you prepare your supply chain and avoid the penalties of noncompliance.

Why Compliance with the EU Cyber Resilience Act Matters

Compliance with the CRA is critical to protect your products – and consumers – from cyberattacks, and to avoid the penalties of non-compliance.

The CRA addresses two critical issues. Firstly, it tackles the prevalent cybersecurity vulnerabilities in digital products due to low cybersecurity standards and ensures that manufacturers remain responsible for the cybersecurity of their product throughout its lifecycle. Secondly, it aims to improve users' access to and understanding of cybersecurity information, empowering them to make informed choices regarding the cybersecurity of the products they use and how to securely set them up.

Failure to meet the cybersecurity obligations can result in legal repercussions, including fines, and have a detrimental impact on your reputation and market access within the EU. While the exact penalties will be decided by individual Member States, it's crucial to align your operations with the Act's provisions to avoid such penalties.

Scope of the Act

The CRA applies to manufacturers of hardware and software products with digital elements sold in the EU.This includes, but is not limited to, devices and components such as:

• Laptops

• Smartphones

• Hard drives

• Smart speakers

• Routers

• Switches

• Mobile applications

• Firewalls

• Video games

• Firmware

• Operating systems

• Computer processing units (CPUs)

Under the CRA, manufacturers and developers of these products are subject to cybersecurity requirements that regulate both the design phase as well as security updates.

The following types of products are not covered under the scope of the CRA:

• Software that is provided as part of a service

• Non-commercial open-source software

• Products with digital elements developed or modified exclusively for national security or defense purposes

• Products already covered by other EU legislation, such as medical devices, planes, and vehicles.

These exclusions help avoid regulatory overlap and ensure that products are regulated under the most appropriate framework for their specific use cases and risks.

Requirements of the Cyber Resilience Act

Annex I of the CRA lays out essential cybersecurity requirements for manufacturers to support products’ ability to withstand cyberattacks and operate securely.

Under Part I, manufacturers must ensure:

• Their products do not have known “exploitable vulnerabilities” when put on the market

• Vulnerabilities can be addressed through security updates, including automatic updates (which users can opt-out of or postpone easily if desired)

• Their products protect the confidentiality of stored information

• Their products are designed, developed, and produced to limit attacks and minimize negative impacts should attacks occur

Under Part II, manufacturers must:

• Identify and document vulnerabilities with a software bill of materials

• Address and remediate vulnerabilities quickly, including by providing security updates

• Regularly test and review the security of their products

• Share and publicly disclose information about vulnerabilities that were fixed after a security update, and create a policy on coordinated vulnerability disclosure

Annex II of the CRA lays out requirements for the information and instructions that must be provided to users for products with digital elements, including, but not limited to:

• The name, trademark, post address, and contact information of the manufacturer

• Where the manufacturer’s policy on coordinated vulnerability disclosure can be found

• How relevant security updates can be installed

• How user data can be removed securely.

• How automatic security updates can be turned off

The requirements laid out above are a summary of the most important requirements laid out in the CRA, but are not a comprehensive list. For the full list of requirements, see the full adopted text of the CRA.

Steps to Compliance

Manufacturers must undergo the following steps to ensure compliance.

1. Risk Assessment: Identify and evaluate cybersecurity risks for your digital products.

2. Design Integration: Incorporate essential cybersecurity measures during product design and development.

3. Conformity Assessment: Choose between self-assessment and third-party evaluation based on your product's risk profile. The Act splits the products covered into three categories. “Default” products are those without cybersecurity vulnerabilities. Manufacturers of default products can perform a self-assessment of their cybersecurity vulnerabilities.

The remaining products, listed in Annex III and IV, are identified as "Important," or "Critical", as they have higher levels of risk. These products are further divided into two risk classes, Class I and Class II. Class I products, such as password managers or biometric readers, may adhere to an EU standard to ensure compliance or undergo a third-party assessment to demonstrate compliance with the Act. Class II products, such as operating systems or firewalls and routers for industrial use, must undergo third-party assessments to demonstrate conformity due to their higher security risk.

The European Standardisation Organisations will create technical standards for many of the product categories covered

4. Declaration of Conformity: Draft an EU declaration confirming your product meets CRA requirements containing the information laid out in Annex V.

5. CE Marking: Affix the CE mark to your product as a symbol of compliance.

6. Security Updates: Define a support period (the designated timeframe during which manufacturers are obligated to provide security updates and manage vulnerabilities for their digital products, correlated with the expected duration of product use). and consistently provide necessary security updates.

7. Vulnerability Management: Establish a system for managing and addressing vulnerabilities.

8. User Information: Clearly inform users about the cybersecurity features and support period of your product.

Planning for CRA Compliance with QIMA/CCLab

As you work to achieve compliance with the EU Cyber Resilience Act, partnering with QIMA/CCLab can significantly streamline your journey. QIMA/CCLab offers specialized cybersecurity services tailored to ensure your products meet the rigorous standards set by the CRA.

With expert guidance on risk assessments, conformity assessments, vulnerability management, and electronic product testing, QIMA/CCLab can assist at every step, from design integration to putting your product on the market.

For more information on cybersecurity regulations in the EU, read our whitepaper: Cybersecurity for IoT and Beyond: Complying with EU Regulations